Log4Shell: log4j Remote Code Execution vulnerability
No violationsstackroxcriticalbuilddeployAlert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.
- Rationale
- These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
- Remediation
- Update the log4j libary to version 2.16.0 (for Java 8 or later), 2.12.2 (for Java 7) or later. If not possible to upgrade, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
CategoriesVulnerability Management
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.4(c)
- ISO/IEC 27001 2022
- A.8.8
- NIST SP 800-53 rev. 5
- RA-5
- PCI DSS 4.0
- 6.3.1
- SOC 2 2017 TSC
- CC7.1
Generated artifacts
1 of 5 targets supportedlog4shell-log4j-remote-code-execution-vulnerability.rego
# Log4Shell: log4j Remote Code Execution vulnerability (trivy)
# severity: critical
# source: stackrox/cf80fb33-c7d0-4490-b6f4-e56e1f27b4e4
package trivy.log4shell_log4j_remote_code_execution_vulnerability
deny[msg] {
# rule 1
some v
v := input.Vulnerabilities[_]
v.VulnerabilityID == {"CVE-2021-44228", "CVE-2021-45046"}[_]
msg := "[critical] Log4Shell: log4j Remote Code Execution vulnerability: Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2."
}
IR (canonical)
{
"id": "cf80fb33-c7d0-4490-b6f4-e56e1f27b4e4",
"name": "Log4Shell: log4j Remote Code Execution vulnerability",
"description": "Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.",
"rationale": "These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.",
"remediation": "Update the log4j libary to version 2.16.0 (for Java 8 or later), 2.12.2 (for Java 7) or later. If not possible to upgrade, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class",
"severity": "critical",
"categories": [
"Vulnerability Management"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "cve",
"values": [
"CVE-2021-44228",
"CVE-2021-45046"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "cf80fb33-c7d0-4490-b6f4-e56e1f27b4e4",
"name": "Log4Shell: log4j Remote Code Execution vulnerability",
"description": "Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.",
"rationale": "These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.",
"remediation": "Update the log4j libary to version 2.16.0 (for Java 8 or later), 2.12.2 (for Java 7) or later. If not possible to upgrade, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class",
"disabled": false,
"categories": [
"Vulnerability Management"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "CRITICAL_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "CVE",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "CVE-2021-44228"
},
{
"value": "CVE-2021-45046"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}